From e08c76fa1deea9f655d72c8d54e20e888acf8400 Mon Sep 17 00:00:00 2001 From: Carl Alberto Date: Fri, 1 Nov 2019 12:59:49 +0800 Subject: [PATCH] sanitized input and output --- .../class-tika-doc-pdf-indexer-functions.php | 7 +- .../class-tika-doc-pdf-indexer-settings.php | 101 +++++++++++++++--- includes/class-tika-doc-pdf-indexer.php | 14 ++- .../class-tika-doc-pdf-indexer-admin-api.php | 67 +++++++++--- .../class-tika-doc-pdf-indexer-post-type.php | 4 +- lang/tika-doc-pdf-indexer.pot | 16 +-- 6 files changed, 157 insertions(+), 52 deletions(-) diff --git a/includes/class-tika-doc-pdf-indexer-functions.php b/includes/class-tika-doc-pdf-indexer-functions.php index 4a711a8..9646499 100644 --- a/includes/class-tika-doc-pdf-indexer-functions.php +++ b/includes/class-tika-doc-pdf-indexer-functions.php @@ -102,13 +102,13 @@ function tdpi_restrict_mimetypes( $mimes ) { $allowed_array = array(); if ( in_array( 'pdf', $allowed, true ) ) { - $allowed_array['pdf'] = 'application/pdf'; + $allowed_array['pdf'] = array( 'application/pdf' ); } if ( in_array( 'txt', $allowed, true ) ) { - $allowed_array['txt'] = 'text/plain'; + $allowed_array['txt'] = array( 'text/plain' ); } if ( in_array( 'doc', $allowed, true ) ) { - $allowed_array['doc'] = 'application/msword'; + $allowed_array['doc'] = array( 'application/msword' ); } global $post_type; if ( 'tdpi_doc' === $post_type ) { @@ -280,3 +280,4 @@ function tdpi_save_tika_meta( $post_id, $post ) { // on upload existing file, attach data. // make the upload file required // default to upload and restric from selcting uploaded file or the recent file should be indexed. +// Settings should file checks if correct or existing.. diff --git a/includes/class-tika-doc-pdf-indexer-settings.php b/includes/class-tika-doc-pdf-indexer-settings.php index 428d4c3..4fd9ce7 100644 --- a/includes/class-tika-doc-pdf-indexer-settings.php +++ b/includes/class-tika-doc-pdf-indexer-settings.php @@ -50,6 +50,91 @@ class Tika_Doc_PDF_Indexer_Settings { */ public $settings = array(); + /** + * Allowed html. + * + * @var array + */ + public $allowed_htmls_form = [ + 'a' => [ + 'href' => [], + 'title' => [], + ], + 'input' => [ + 'id' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + 'class' => [], + ], + 'select' => [ + 'id' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + 'multiple' => [], + ], + 'option' => [ + 'id' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + 'multiple' => [], + 'selected' => [], + ], + 'label' => [ + 'for' => [], + 'title' => [], + ], + 'span' => [ + 'class' => [], + 'title' => [], + ], + 'div' => [ + 'class' => [], + 'id' => [], + ], + 'table' => [ + 'scope' => [], + 'title' => [], + 'class' => [], + 'role' => [], + ], + 'tbody' => [ + 'scope' => [], + 'title' => [], + 'class' => [], + 'role' => [], + ], + 'th' => [ + 'scope' => [], + 'title' => [], + ], + 'tr' => [], + 'td' => [], + 'p' => [], + 'br' => [], + 'h2' => [], + 'em' => [], + 'strong' => [], + 'th' => [], + 'form' => [ + 'method' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + 'multiple' => [], + 'selected' => [], + 'action' => [], + 'enctype' => [], + ], + + ]; + /** * Constructor function. * @@ -195,17 +280,7 @@ public function register_settings() { if ( is_array( $this->settings ) ) { // Check posted/selected tab. - //phpcs:disable $current_section = ''; - if ( isset( $_POST['tab'] ) && $_POST['tab'] ) { - $current_section = $_POST['tab']; - } else { - if ( isset( $_GET['tab'] ) && $_GET['tab'] ) { - $current_section = $_GET['tab']; - } - } - //phpcs:enable - foreach ( $this->settings as $section => $data ) { if ( $current_section && $current_section !== $section ) { @@ -256,8 +331,8 @@ public function register_settings() { * @return void */ public function settings_section( $section ) { - $html = '

' . $this->settings[ $section['id'] ]['description'] . '

' . "\n"; - echo $html; //phpcs:ignore + $html = $this->settings[ $section['id'] ]['description'] . "\n"; + echo esc_html( $html ); } /** @@ -288,7 +363,7 @@ public function settings_page() { $html .= '' . "\n"; $html .= '' . "\n"; - echo $html; //phpcs:ignore + echo wp_kses( $html, $this->allowed_htmls_form ); } /** diff --git a/includes/class-tika-doc-pdf-indexer.php b/includes/class-tika-doc-pdf-indexer.php index 8b84d43..4a86d13 100644 --- a/includes/class-tika-doc-pdf-indexer.php +++ b/includes/class-tika-doc-pdf-indexer.php @@ -272,20 +272,25 @@ private function _log_version_number() { //phpcs:ignore update_option( $this->_token . '_version', $this->_version ); } // End _log_version_number () + /** + * Register document post type. + * + * @return void + */ public function register_doc_postype() { - $options = array( + $options = array( 'menu_icon' => 'dashicons-media-document', 'supports' => array( 'title', 'thumbnail' ), ); $description = ''; $this->register_post_type( - 'tdpi_doc', - __( 'Documents', 'tika-doc-pdf-indexer' ), + 'tdpi_doc', + __( 'Documents', 'tika-doc-pdf-indexer' ), __( 'Document', 'tika-doc-pdf-indexer' ), $description, $options - ); + ); } /** @@ -315,7 +320,6 @@ public function __construct( $file = '', $version = '1.0.0' ) { // Load admin JS & CSS. add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_scripts' ), 10, 1 ); add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_styles' ), 10, 1 ); - // Load API for generic admin functions. if ( is_admin() ) { diff --git a/includes/lib/class-tika-doc-pdf-indexer-admin-api.php b/includes/lib/class-tika-doc-pdf-indexer-admin-api.php index 3cb87fa..da92175 100644 --- a/includes/lib/class-tika-doc-pdf-indexer-admin-api.php +++ b/includes/lib/class-tika-doc-pdf-indexer-admin-api.php @@ -21,6 +21,54 @@ public function __construct() { add_action( 'save_post', array( $this, 'save_meta_boxes' ), 10, 1 ); } + /** + * Allowed html. + * + * @var array + */ + public $allowed_htmls = [ + 'a' => [ + 'href' => [], + 'title' => [], + ], + 'input' => [ + 'id' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + ], + 'select' => [ + 'id' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + 'multiple' => [], + ], + 'option' => [ + 'id' => [], + 'type' => [], + 'name' => [], + 'placeholder' => [], + 'value' => [], + 'multiple' => [], + 'selected' => [], + ], + 'label' => [ + 'for' => [], + 'title' => [], + ], + 'span' => [ + 'class' => [], + 'title' => [], + ], + 'br' => [], + 'em' => [], + 'strong' => [], + + ]; + /** * Generate HTML for displaying fields. * @@ -171,16 +219,6 @@ public function display_field( $data = array(), $post = false, $echo = true ) { $html .= '
' . "\n"; break; - case 'color': - //phpcs:disable - ?>
- -
-
- allowed_htmls ); } /** @@ -345,8 +382,10 @@ public function save_meta_boxes( $post_id = 0 ) { } foreach ( $fields as $field ) { - if ( isset( $_REQUEST[ $field['id'] ] ) ) { //phpcs:ignore - update_post_meta( $post_id, $field['id'], $this->validate_field( $_REQUEST[ $field['id'] ], $field['type'] ) ); //phpcs:ignore + if ( isset( $_REQUEST[ $field['id'] ] ) ) { + if ( wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST[ $field['id'] ] ) ) ) ) { + update_post_meta( $post_id, $field['id'], $this->validate_field( wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST[ $field['id'] ], $field['type'] ) ) ) ) ); + } } else { update_post_meta( $post_id, $field['id'], '' ); } diff --git a/includes/lib/class-tika-doc-pdf-indexer-post-type.php b/includes/lib/class-tika-doc-pdf-indexer-post-type.php index e877230..4982103 100644 --- a/includes/lib/class-tika-doc-pdf-indexer-post-type.php +++ b/includes/lib/class-tika-doc-pdf-indexer-post-type.php @@ -159,21 +159,19 @@ public function register_post_type() { */ public function updated_messages( $messages = array() ) { global $post, $post_ID; - //phpcs:disable $messages[ $this->post_type ] = array( 0 => '', 1 => sprintf( __( '%1$s updated. %2$sView %3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '', $this->single, '' ), 2 => __( 'Custom field updated.', 'tika-doc-pdf-indexer' ), 3 => __( 'Custom field deleted.', 'tika-doc-pdf-indexer' ), 4 => sprintf( __( '%1$s updated.', 'tika-doc-pdf-indexer' ), $this->single ), - 5 => isset( $_GET['revision'] ) ? sprintf( __( '%1$s restored to revision from %2$s.', 'tika-doc-pdf-indexer' ), $this->single, wp_post_revision_title( (int) $_GET['revision'], false ) ) : false, + 5 => sprintf( __( '%1$s restored to previous revision.', 'tika-doc-pdf-indexer' ), $this->single ), 6 => sprintf( __( '%1$s published. %2$sView %3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '', $this->single, '' ), 7 => sprintf( __( '%1$s saved.', 'tika-doc-pdf-indexer' ), $this->single ), 8 => sprintf( __( '%1$s submitted. %2$sPreview post%3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '', $this->single, '' ), 9 => sprintf( __( '%1$s scheduled for: %2$s. %3$sPreview %4$s%5$s.', 'tika-doc-pdf-indexer' ), $this->single, '' . date_i18n( __( 'M j, Y @ G:i', 'tika-doc-pdf-indexer' ), strtotime( $post->post_date ) ) . '', '', $this->single, '' ), 10 => sprintf( __( '%1$s draft updated. %2$sPreview %3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '', $this->single, '' ), ); - //phpcs:enable return $messages; } diff --git a/lang/tika-doc-pdf-indexer.pot b/lang/tika-doc-pdf-indexer.pot index 7435942..f74f162 100644 --- a/lang/tika-doc-pdf-indexer.pot +++ b/lang/tika-doc-pdf-indexer.pot @@ -4,11 +4,11 @@ msgid "" msgstr "" "Project-Id-Version: Tika Doc PDF Indexer 1.0\n" "Report-Msgid-Bugs-To: http://wordpress.org/tag/WordPress-Plugin-Template\n" -"POT-Creation-Date: 2014-04-07 11:28:06+00:00\n" +"POT-Creation-Date: 2019-11-01 11:28:06+00:00\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"PO-Revision-Date: 2014-MO-DA HO:MI+ZONE\n" +"PO-Revision-Date: 2019-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -393,15 +393,3 @@ msgstr "" #. Plugin Name of the plugin/theme msgid "Tika Doc PDF Indexer" msgstr "" - -#. Plugin URI of the plugin/theme -msgid "http://www.hughlashbrooke.com/" -msgstr "" - -#. Author of the plugin/theme -msgid "Hugh Lashbrooke" -msgstr "" - -#. Author URI of the plugin/theme -msgid "http://www.hughlashbrooke.com/" -msgstr ""